CVE-2015-5077 – XSS in BlueSpice Wiki

Overview

A stored XSS vulnerabily was discovered in the ShoutBox module of the enterprise application "BlueSpice Wiki".

Title BlueSpice Shoutbox – Stored Cross-Site Scripting
Product BlueSpice for MediaWiki Plugin: ShoutBox
Vulnerable version 2.23.1
Fixed version 2.23.1.1
Vendor homepage http://bluespice.com/
CVE-Number CVE-2015-5077
Discovered 2015-06-01
By Frederic Mohr / LastBreach Vulnerability Lab
URL https://www.lastbreach.com/en/blog/cve-2015-5077-xss-in-bluespice-wiki

Vendor description

“BlueSpice free is the free wiki version of BlueSpice, based on MediaWiki and extends it with lots of useful features, which easen the everyday work with your wiki. BlueSpice free supports you with its free of cost functions for quality assurance, process support, administration, editing and security. Just download it and install BlueSpice!”

Source: http://bluespice.com/products/bluespice-free/ Vulnerability overview/description:

The stored cross-site scripting vulnerability exists in the ShoutBox plugin, which allows users to comment on pages in BlueSpice wiki. The plugin does not encode either input nor output of user provided content. Submitted payloads are therefore stored in the database and included in the page in raw format, which is interpreted by browsers as executable JavaScript code.

By default, BlueSpice security settings require a user to be logged in to use the ShoutBox. However, the default settings also allow for self registration.

This vulnerability can be leveraged to send a malicious script to an unsuspecting user. The victim’s browser will execute the script, as it has no way of knowing that the script should not be trusted. By exploiting this vulnerability an attacker is able to trick users into unknowingly performing actions on the attackers behalf.

Proof of concept:

After login, the attacker is able to exploit the vulnerability simply by posting raw JS code in the ShoutBox comment field. Posting the following code snippet, will produce a popup box containing the message “Stored XSS”.

<script>alert(“Stored XSS”)</script>

The code is executed by any user visiting the page that contains the comment, if the ShoutBox is selected.

Vulnerable / tested versions:

The vulnerability has been verified to exist in BlueSpice for Mediawiki Version: 2.23.1, which was the most recent version at the time of discovery. Vendor contact timeline:

2015-06-01: Contacted vendor through support@hallowelt.biz
2015-06-03: Vendor response requesting detailed description
2015-06-03: Provided detailed description
2015-06-09: Vendor response acknowledging vulnerbility, approximate patch date is set to 2015-06-27
2015-06-10: Provided vendor with patch for this vulnerability
2015-06-21: Contacted vendor asking for status
2015-06-23: Answer from vendor: a release date of update is set to 25th, June vendor will send notification upon release.
2015-06-24: Patch published in git repository
2015-06-28: Contacted vendor asking for release of new version on download page and/or customer notification
2015-07-02: Vendor published customer security notification
2015-07-09: LastBreach releases advisory

Solution

Update BlueSpice for MediaWiki to version 2.23.1.1.

Workaround

If updating to the current version is not possible, the vulnerability can be mitigated by applying the patch manually. The necessary information can be found in the patch commit.